module
WMI Event Subscription Process Persistence
| Disclosed |
|---|
| Jun 6, 2017 |
Disclosed
Jun 6, 2017
Description
This module will create a permanent WMI event subscription to achieve file-less persistence using an event filter
that triggers the payload when the specified process is started.
Additionally a custom command can be specified to run once the trigger is
activated using the advanced option CustomPsCommand. This module requires administrator level privileges as well as a
high integrity process. It is also recommended to use staged payloads due to powershell script length limitations.
Many built-in apps on Windows 10/11 launch via a modern UWP app (Win32Bridge.Server.exe or ApplicationFrameHost.exe),
not the legacy binary (like calc.exe). If you pick one of these apps, like calc.exe, it can still be triggered
from command line, however GUI execution will not work.
Duplicate CLASSNAMEs will not overwrite, so if the env isn't cleaned up before
re-exploitation, the exploitation will fail.
Tested and works being launched from GUI (windows 10):
chrome.exe (several shells at once)
calc.exe (only from command line calc.exe or calc)
msedge.exe (several shells at once)
cmd.exe
that triggers the payload when the specified process is started.
Additionally a custom command can be specified to run once the trigger is
activated using the advanced option CustomPsCommand. This module requires administrator level privileges as well as a
high integrity process. It is also recommended to use staged payloads due to powershell script length limitations.
Many built-in apps on Windows 10/11 launch via a modern UWP app (Win32Bridge.Server.exe or ApplicationFrameHost.exe),
not the legacy binary (like calc.exe). If you pick one of these apps, like calc.exe, it can still be triggered
from command line, however GUI execution will not work.
Duplicate CLASSNAMEs will not overwrite, so if the env isn't cleaned up before
re-exploitation, the exploitation will fail.
Tested and works being launched from GUI (windows 10):
chrome.exe (several shells at once)
calc.exe (only from command line calc.exe or calc)
msedge.exe (several shells at once)
cmd.exe
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.